1 / 12

SQL Injection Primer

SQL Injection Primer. By Nicole Gray, Cliff McCullough, Joe Hernandez. Agenda. Overview of SQL Injection Elaboration Detection Prevention Wrap-up. Vulnerability. Input access to a database Outsider Exploit Insider Exploit Trust no one. Relational Database. Example Exploit.

giles
Download Presentation

SQL Injection Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL Injection Primer By Nicole Gray, Cliff McCullough, Joe Hernandez

  2. Agenda • Overview of SQL Injection • Elaboration • Detection • Prevention • Wrap-up

  3. Vulnerability • Input access to a database • Outsider Exploit • Insider Exploit • Trust no one

  4. Relational Database

  5. Example Exploit

  6. Google Hacking Use the Google search engine to identify information or web sites with poor security practices Advanced Operators aid the search Intitle: - restricts the search to text in the title of the page Ex. intitle: SQL allintitle: - similar to intitle operator, allows concatenation of key words in title search Ex. allintitle: SQL Password (is the same as intitle: SQL intitle: Password) inurl:, allinurl: - will search for keywords in the URL Ex. inurl: login.aspx site: - will narrow the search a specific site or domain like uccs.edu or .gov Ex. site:.uccs.edu filetype: - used to search for a specific file like doc, php,cgi, or aspx Ex. filetype:aspx (do not use dot operator to identify the file type, like .doc) intext: - will identify keywords in the text of the webpage Ex. intext: SQL Injection http://johnny.ihackstuff.com/ghdb/

  7. Types of SQL Injection • Three types • Inband: same user interface i.e. webpage • Out-of-band: different communications channel i.e. e-mail • Inferential: can’t see the results of injection i.e. blind SQL injection • Error Based – asking the database questions • a‘ or ‘a’ = ‘a • Answer may be returned as an error • Union Based – combines the results of two SQL statements • SELECT * from lastname UNION SELECT * from office • Blind – asks the database true and false questions may not see specific results • Interrupt or deduce results • Game of 20 questions

  8. SQL Injection Tools • SQL Map* is a tool that aids in the fingerprinting of a backend database • SQL Ninja* http://sqlninja.sourceforge.net/ • Aids in the exploitation of SQL injection vulnerabilities can provide root level command access to system • Automagic SQL Injector* • Designed to work with generic installation of MS SQL • http://scoobygang.org/magicsql/ • Videos on SQL injection can be found on the internet one great source • http://securitytube.net/ *Source: EC Council Certified Ethical Hacker Volume 3 Chapter 19

  9. Detection • Application layer firewalls • Inspects each packet, decides to pass or reject • Easier to update firewall rules than update application program code • Intrusion Detection System (IDS) • Network-based, Systems-based, Host-based • Compares packets to known signatures

  10. Prevention • Mitigate the risk • Review web applications, program code, and back-end system design • SQL queries should be parameterized or stored procedures • Validate user input

  11. Prevention continued • Restrict privileges • White lists and black lists

  12. Wrap-up • SQL Injection is increasing in prevalence • Not possible to absolutely defend against all possible attacks • Risk of attack can be reduced: • Maintain firewalls, intrusion detection / prevention systems • Manage access to queries through parameterization and stored procedures • Always validate user input • Restrict accounts • Use whitelists and blacklists.

More Related